Tazatel

NAP 802.1x Enforcement – Switches we’ve tested w/NAP

Obecná diskuse

I've heard from countless people that they would like to see a list of 802.1x switches that we have seen working with NAP. My teammate Calvin Choe just blogged our up-to-date list of vendors / switches we have verified. Check it out!

If i'm correct it should support IEEE 802.1x - VLAN Assignment for dynamic VLAN switching under NAP, but basicly the device should accept RADIUS attributes and apply them.The RADIUS Attributes I used in my research are:

64 (Tunnel Type)65 (Tunnel Medium Type)81 (Tunnel Private Group ID)

perhaps some vendors use specific attributes for VLAN assigment, but these standard ones do the trick on my tested equipment

In my research of NAP i found that the following cisco devices "should" support this feature, provided they have a recent IOS to support the feature:

Basically you only need the support for 802.1x-authentication using PEAP with MS-ChapV2 or certificate as EAP-Method. Then you can have an "on/off-decision" at the switchport.

Most of the other mentioned functions in your list, which is in fact part of a featurelist for Cisco-IOS-devices, are needed because life is not fair;-)

In a heterogeneous network-setup with multivendor-equipment as network- and systemdevice, you will need more functions, for instance for realising guest-networks fpr non-authenticated devices, additional authentication-methods like MAC-based Auth, failsafe-network-segments for a basic network-functionality in case of troubles with the dot1x-implementation, authentication-based VLAN-switching (if all your clients are able to understand a dynamic ip-address-change) etc etc.

So at the end your total solution design defines which functions your network access devices must have to implement your special solution.

Too complicated? Perhaps think about different enforcement methods like dhcp or inline-filtering-devices like consentry instead of using dot1x or wait for more featurecomplete versions of 802.1x in some years ;-) The last and incomplete revision of the standard is from 2004, which is far away from todays technologies.

It's a year ago you asked if anyone wanted to know how you did this, I've a aironet 1100 and can't work it out. If you still have the instructions for the 1231 can you let me know how you did it please?

Does using the NAP wizard and the attributes that are referenced in there not work?

Right click the main node of NPS Click the "configure NAP" link in the right hand boxAnswer the questions in the wizard.

In general, the following attributes should work

Tunnel PVT Group IDTunnel Assignment IDTunnel Medium TypeTunnel Type

In my experience, Cisco devices in particular, have problems when you send the Filter-ID attribute along with any of these standard tunnel attributes, so make sure that you are not sending a combination of these, as well as the Filter ID attribute.